none
Simple private web service RRS feed

  • Question

  • Dear all,

    I had created a web service. And consuming it from client side by Winform application.

    Now if someone get to know about web service's url from somewhere, he or she can also use same for his applications.

    How one can go for securing web service so that only my application can access that web service. That is, how I can make web service private or restricted to specific application?


    Vikram Singh Saini (Freelancer on Elance)

    Friday, September 27, 2013 1:37 PM

Answers

  • Have you looked through the information on securing your WCF service?  Are you hosting it in IIS with secure transport (https)?  Using TransportWithMessageCredential should work pretty well in this case.  Depending on how you want to set this up, you can use the MembershipProvider or some kind of custom authentication for the message credential part. 

    Using the MembershipProvider seems overkill since you would need to use a considerable set of resources with the database.  If you only want your specific Winform app to use the service and do not care about the identity of the Winform's user, you can use custom authentication and just hard code your username and password into the Winform app. 

    If you go the custom approach, there is some really good documentation here

    Hope that helps! 


    Christine A. Piffat

    Friday, September 27, 2013 3:50 PM
  • Hi,

    To restrict access to the service you should use authentication and authorization. For example using windows integrated authentication will restrict access only to users from the same or trusted domains. But in your case you want to restrict access to single application. So you need to use authorization. By implementing authorization you can futher restrict access to only selected users or user groups. If you place all users of your client to single domain group you can simply say that only these users are allowed to call your service. Still you will not restrict calls to only single application. The user will be able to call your service from other app.

    If you really want to restrict your service to single client application you have to add your custom authorization policy and send some "secret" token to prove identity of your client application. The solution will still be fragile because end user can catch the communication (for example in Fiddler) and steal the token (so you need some message security) or simply dissasemble the application and find the token.

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 30, 2013 4:35 AM
    Moderator

All replies

  • Have you looked through the information on securing your WCF service?  Are you hosting it in IIS with secure transport (https)?  Using TransportWithMessageCredential should work pretty well in this case.  Depending on how you want to set this up, you can use the MembershipProvider or some kind of custom authentication for the message credential part. 

    Using the MembershipProvider seems overkill since you would need to use a considerable set of resources with the database.  If you only want your specific Winform app to use the service and do not care about the identity of the Winform's user, you can use custom authentication and just hard code your username and password into the Winform app. 

    If you go the custom approach, there is some really good documentation here

    Hope that helps! 


    Christine A. Piffat

    Friday, September 27, 2013 3:50 PM
  • Hi,

    To restrict access to the service you should use authentication and authorization. For example using windows integrated authentication will restrict access only to users from the same or trusted domains. But in your case you want to restrict access to single application. So you need to use authorization. By implementing authorization you can futher restrict access to only selected users or user groups. If you place all users of your client to single domain group you can simply say that only these users are allowed to call your service. Still you will not restrict calls to only single application. The user will be able to call your service from other app.

    If you really want to restrict your service to single client application you have to add your custom authorization policy and send some "secret" token to prove identity of your client application. The solution will still be fragile because end user can catch the communication (for example in Fiddler) and steal the token (so you need some message security) or simply dissasemble the application and find the token.

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 30, 2013 4:35 AM
    Moderator